Besides identifying the risks facing an organization, internal auditors help assess the impact risks can have on companywide performance and processes. Therefore, the role of auditors is not only to evaluate risks, but to determine whether adequate controls are in place to mitigate risks effectively. Becoming familiar with the different elements of an effective risk management process can help beginner internal auditors provide recommendations that address the organization's risk management needs and identify risks before they become a threat to companywide assets and data.
What is Risk?
Both the U.S. Securities and Exchange Commission (SEC) and the U.S. Federal Financial Institutions Examinations Council (FFIEC) have addressed the need to conduct risk assessments, while frameworks such as Basel II, ISACA's Control Objectives for Information and Related Technology, and the Software Engineering Institute's Octave approach have provided risk assessment guidelines to organizations worldwide. While governance institutions and frameworks continue to expand their discussions on risk, beginner auditors may wonder what risk truly is and why risk assessments are important to the internal audit community.
According to The IIA, risk is defined as the possibility that an event will occur, which will impact an organization's achievement of objectives (The Professional Practices Framework 2004). There are many forms of risk in an organization, including IT risk, financial risk, operational risk, network security risk, and personnel risk. To address risks more effectively, organizations may use a risk management approach that identifies, assesses, manages, and controls potential events or situations.
Among other things, the goal of effective risk management is to ensure that each risk is identified, documented, prioritized, and mitigated whenever possible. Because all organizations face risk, whether positive (i.e., opportunities) or negative (i.e., events that hinder company processes), the challenge for auditors is to know when risk will occur and the impact it will have on the organization.
In addition, auditors need to consider the probability that the risk will occur. For example, it may not be necessary for the organization to worry about a particular IT risk when the likelihood that it will occur is significantly low and its impact is low as well. However, organizations should concentrate on low-probability risks that will have a high-negative impact. As a result, looking at the impact and probability of each risk is important when establishing an effective risk management program that addresses companywide risk.
The Risk Management Process
When establishing a risk management process or initiative, auditors should recommend that organizations examine best management practices in the area. Typically, risk management plans have the following objectives:
- To eliminate negative risks.
- To reduce risks to an "acceptable" level if risks cannot be eliminated. This means a risk level the organization can live with, making sure that proper controls are in place to keep risks within an acceptable range.
- To transfer risks by means of insurance (i.e., insuring company assets for theft or destruction, such as hurricane or fire damage) or to transfer the risk to another organization (i.e., using a third-party vendor to install network equipment so that the vendor is made responsible for the installation's success or failure).
In 2002, the U.S. National Institute of Standards and Technology (NIST) published a set of IT security risk management best practices. The NIST document, Risk Management Guide for Information Technology Systems (PDF), discusses the IT security risk management process in detail. According to the guide, IT risk management consists of risk assessments, risk mitigation, and ongoing risk evaluations and assessments. For instance, the risk assessment stage is where the auditor identifies and evaluates each risk, the impact these risks have on the organization, and any risk-reducing recommendations. The risk mitigation stage involves prioritizing, implementing, and maintaining appropriate risk-reduction measures that are recommended in the risk assessment process, while the ongoing risk evaluation and assessment stage asks that the organization continuously evaluate their risk management activities in reducing risks.
As mentioned in the NIST guide, risk assessments should be the first step in an IT risk management initiative. The end result of the risk assessment is to determine the extent of the potential threat and its associated risk, which is defined as the likelihood that a given threat can exploit or take advantage of a particular vulnerability. For example, if an auditor is evaluating an IT system, the threats to the system should be analyzed in conjunction with potential vulnerabilities and any implemented controls.
The risk assessment process begins with the identification of risk categories. An organization most likely will have several risk categories to analyze and identify risks that are specific to the organization. Examples of risk categories include:
- Technical or IT risks.
- Project management risks.
- Organizational risks.
- Financial risks.
- External risks.
- Compliance risks.
For instance, technical risks are associated with the operation of applications or programs including computers or perimeter security devices (e.g., a computer that connects directly to the Internet could be at risk if it does not have antivirus software). An example of a project management risk could be the inadequacy of the project manager to complete and deliver a project, causing the company to delay the release of a product to the marketplace. Organizational risks deal with how the company's infrastructure relates to business operations and the protection of its assets (e.g., the company does not have clear segregation of duties between its production and development environments), whilefinancial risks encompass events that will have a financial impact on the organization (e.g., investing the company's cash reserves in a highly speculative investment scheme). External risks are those events that impact the organization but occur outside of its control (e.g., natural disasters such as earthquakes and floods). Finally, a compliance risk occurs when a company does not comply with mandated federal regulations, which often results in fines or legal sanctions.
Determining the Risk Likelihood Level
The threat's source is highly motivated and sufficiently capable, and controls that prevent the vulnerability from being exercised are ineffective.
The threat's source is motivated and capable, but controls are in place that may impede a successful exercise of the vulnerability.
The threat's source lacks motivation or capability, and controls are in place to prevent or significantly impede the vulnerability from being exercised.
|Table 1: Risk Likelihood Levels|
(Adapted from NIST's Risk Management Guide for Information Technology Systems)
Once risks are identified, the next step is to determine the likelihood that the potential vulnerability can be exploited. Several factors need to be considered when determining this likelihood. First, the auditor needs to consider the source of the threat, the motivation behind the threat, and the capability of the source. Next, auditors need to determine the nature of the vulnerability and, finally, the existence and effectiveness of current controls to deter or mitigate the vulnerability. The likelihood that a potential vulnerability could be exploited can be described as high, medium, or low, as noted in Table 1 at right.
Identifying the Risk's Impact
The next step is to determine the impact that the threat could have on the organization. It is important for auditors to understand that not all threats will have the same impact. This is because each system in the organization most likely will have a different value (i.e., not all systems in the organization are worth the same or regarded in the same way). For instance, to evaluate the value of a system, auditors should identify the processes performed by the system, the system's importance to the company, and the value or sensitivity of the data in the system. A system that handles the company's payroll will have more value than the system that is used to keep the lunchroom menu database.
The impact of a security event can be defined as a breach or loss of confidentiality, integrity, or availability, which may result in an unauthorized disclosure of company information (i.e., loss of confidentiality), the improper modification of the information (i.e., loss of integrity), and a system's unavailability when needed (i.e., loss of availability). The magnitude of impact also can be categorized as high, medium, or low as shown in Table 2 below.
High impact risks may result in the highcostly loss of assets; risks thatsignificantly violate, harm, or impede operations; or risks that cause humandeath or serious injury.
Medium impact risks may result in the costly loss of assets; risks that violate, harm, or impede operations; or risks that cause human injury.
Low impact risks may result in the loss of some assets or may noticeably affect operations.
| Table 2: Risk Impact Levels|
(Adapted from NIST's Risk Management Guide for Information Technology Systems)
In addition, auditors need to measure the risk's actual impact on the organization. This can be done by measuring the risk's impact in a quantitative (e.g., revenue loss or the cost to replace IT equipment) or qualitative manner (e.g., the loss of public confidence when a security breach is announced in the media). There are advantages and disadvantages to both approaches.
The quantitative impact analysis approach provides a definite measure of the impact's magnitude, which can be used to calculate a control's cost-benefit analysis. For instance, if an asset's loss of availability impact is defined quantitatively as US $1,000, then a US $10 dollar control to mitigate the threat has a cost-benefit of 100 to 1 ($1,000/$10).
A major disadvantage of this quantitative approach is the use of wide numerical ranges that can become quite confusing. For example, a 100 to 1 cost-benefit calculation can be obtained from a $1,000 loss and a $10 mitigating control or from a $500 loss and a $5 mitigating control. Therefore, simply looking at the final 100 to 1 cost benefit does not really give auditors an idea of the actual negative impact or the cost of the mitigating control. All the auditor gets are numbers in the form of ratios.
On the other hand, the advantage of qualitative (i.e., high, medium, or low) analysis is that it allows the auditor to prioritize risks and identify improvement areas quickly. However, this approach does not provide the means to calculate the cost-benefit for any of the recommended controls. That is, the auditor can determine that a particular asset has a high risk, but he or she will not know what the impact's cost will be or the mitigating control's effectiveness.
10 (10 x 1.0)
20 (20 x 1.0)
30 (30 x 1.0)
5 (10 x 0.5)
10 (20 x 0.5)
15 (30 x 0.5)
1 (10 x 0.1)
2 (20 x 0.1)
3 (30 x 0.1)
|Table 3: Threat Probability Table|
Once a risk's impact is measured, the auditor can identify its probability of occurring and complete an impact assessment for each risk. Table 3 at right can be used when determining the risk's probability or likelihood of occurrence:
When using Table 3, the auditor will rate the risk as having a low, medium, or high impact. The table defines the risk's impact scale as:
- Low: 1 to 10.
- Medium: 11 to 20.
- High: 21 to 30.
Table 3 also defines a high risk as having a value of 1.0, a medium risk as having a value of 0.5, and a low risk as having a value of 0.1. A threat has the highest risk (i.e., a value of 30) if the impact is high and the threat probability is high (i.e., a value of 1.0). A threat has the lowest risk (i.e., a value of 1) if the impact is low and the threat probability is low (i.e., a value of 0.1). Before using this table, auditors need to keep in mind that the ranges used in these examples are arbitrary. Auditors may use any ranges, such as 1 to 25 for low-impact threat, 26 to 50 for a medium-impact threat, and 51 to 75 for a high-impact threat if desired. For instance, auditors can only choose one of the numbers from each of the sets (i.e., 1, 2, 3 for low-impact threats; 5, 10, 15 for medium-impact threats; and 10, 20, 30 for high-impact threats.) The main concept is to assign a value range for low-, medium-, and high-impact threats so that the auditor has a common risk assessment reference point. The same is true of the threat possibility numbers used in the chart.
When addressing risks, many organizations usually start by correcting those risks with a lower impact to the organization and a lower probability because these are easier to fix — and fixing a greater number of open issues in a short amount of time looks better on paper. However, auditors should recommend that organizations start by addressing those risks that will have the highest likelihood of occurring and will have the highest impact. This is because by focusing on the low-impact risks first, the company still remains vulnerable to the high impact risks that can cause irreparable damage.
In addition, while high impact/high likelihood risks should be a high priority, low impact/high likelihood risks and high impact/low likelihood risks also may require immediate attention. Therefore, each risk should be carefully evaluated before determining which risk needs to be addressed first. For example, a system that is connected to the Internet may be highly vulnerable because a specific software patch is not installed and any Trojan coming from the Internet can infect the system. As a result, if the system remains unpatched, it could greatly impact the organization's day-to-day operations (i.e., should the system remain unpatched, there is a high likelihood the system will have a high impact on the organization).
Now, imagine that the organization uses another system that is not connected to the Internet. In this case, the impact to the organization is still high because the system is not patched and vulnerable to any Trojan that makes its way through the network. However, because the machine is not connected to the Internet, the threat likelihood is low (i.e., this is an example of a high impact/low probability risk). From these two situations, the auditor can determine that the first system poses a higher risk to the organization and should be fixed first.
Many organizations are implementing risk management programs that can help them address companywide risks and potential threats. In the area of IT, an effective risk management program relies on the auditor's expertise, thus enabling the organization to apply the necessary risk management controls to a specific area or IT system.
To maximize its effectiveness, auditors should recommend that the risk management initiative receives the support and commitment from senior management. This will help to set the proper tone at the top for the program, as well as ensure that controls are managed properly and implemented risk management policies and procedures are adhered to by company staff. In addition, the proper tone at the top will help to establish the organization's attitude toward risk and the kinds of risks that are acceptable. Finally, the audit team needs to have the proper training or expertise in the area of risk management to better identify and rate risk levels as well as evaluate controls to determine if they meet the organization's risk management needs.
Besides the NIST guide and the regulations and frameworks mentioned at the beginning of this article, beginner internal auditors can refer to the following two documents for additional information on the risk management process:
"Auditing System Conversions" by Dan Swanson, CIA, CMA, CISA, CISSP, CAP.
"The Role of Internal Audit Enterprisewide Risk Management" (PDF) by The IIA.